Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail
From: Lars =?iso-8859-1?Q?Gust=E4bel?= <lars@gustaebel.de>
Newsgroups: comp.lang.python
Subject: Re: tarfile : secure extract?
Date: Fri, 12 Feb 2016 20:21:25 +0100
Lines: 16
Message-ID: <mailman.83.1455304896.22075.python-list@python.org>
References: <n9j56h$93n$1@news2.informatik.uni-stuttgart.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: news.uni-berlin.de 9ZCm0bXfYr/QoFl9NoYFCAZ7TDN32C+NegUzFuGCmj2g==
Return-Path: <lars@g33x.de>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.007
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'filenames': 0.07; 'cc:addr :python-list': 0.09; 'thu,': 0.15; '"/"': 0.16; '2016': 0.16; 'dots': 0.16; 'idea:': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'wrote:': 0.16; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'cc:no real name:2**0': 0.22; 'feb': 0.23; 'absolute': 0.23; 'header:In-Reply-To:1': 0.24; 'discussion': 0.24; 'url:bugs': 0.24; 'header:User-Agent:1': 0.26; 'archives': 0.29; 'path,': 0.29; 'tar': 0.29; 'e.g.': 0.30; 'subject: : ': 0.30; 'url:python': 0.33; 'extract': 0.33; 'there': 0.36; 'url:org': 0.36; 'created': 0.36; 'possible': 0.36; 'url:library': 0.36; 'subject:?': 0.36; 'subject:: ': 0.37; 'two': 0.37; 'received:88.198': 0.37; 'sources': 0.37; 'starting': 0.37; 'files': 0.38; 'why': 0.39; 'received:192': 0.39; 'received:de': 0.40
Mail-Followup-To: Lars =?iso-8859-1?Q?Gust=E4bel?= <lars@gustaebel.de>, Ulli Horlacher <framstag@rus.uni-stuttgart.de>, python-list@python.org
Content-Disposition: inline
In-Reply-To: <n9j56h$93n$1@news2.informatik.uni-stuttgart.de>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Virus-Scanned: clamav-milter 0.98.7 at tera
X-Virus-Status: Clean
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.21rc2
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Xref: csiph.com comp.lang.python:102869

On Thu, Feb 11, 2016 at 11:24:01PM +0000, Ulli Horlacher wrote:
> In https://docs.python.org/2/library/tarfile.html there is a warning:
> 
>   Never extract archives from untrusted sources without prior inspection.
>   It is possible that files are created outside of path, e.g. members that
>   have absolute filenames starting with "/" or filenames with two dots
>   "..". 
> 
> My program has to extract tar archives from untrusted sources :-}

Read the discussion in this issue on why this might be a bad idea:
http://bugs.python.org/issue21109

-- 
Lars Gustäbel
lars@gustaebel.de